DAC vs. MAC - Stanford Secure Computer Systems Group
DAC vs. MAC - Stanford Secure Computer Systems Group DAC vs. MAC - Stanford Secure Computer Systems Group
No: Covert channels• System rife with storage channels- Low current-level process executes another program- New program reads sensitive file, gets high current-level- High program exploits covert channels to pass data to low• E.g., High program inherits file descriptor- Can pass 4-bytes of information to low prog. in file offset• Other storage channels:- Exit value, signals, terminal escape codes, . . .• If we eliminate storage channels, is system secure?
No: Timing channels• Example: CPU utilization- To send a 0 bit, use 100% of CPU is busy-loop- To send a 1 bit, sleep and relinquish CPU- Repeat to transfer more bits• Example: Resource exhaustion- High prog. allocate all physical memory if bit is 1- Low program tries to allocate memory; if it fails, bit is 1• More examples: Disk head position, processorcache/TLB polution, . . .
- Page 1 and 2: DAC vs. MAC• Most people familiar
- Page 4 and 5: Security properties• The simple s
- Page 8 and 9: An approach to eliminating covert c
- Page 10 and 11: Biba integrity model• Problem: Ho
- Page 12: Divisions C and D• Level D: Certi
- Page 15: Limitations of Orange book• How t
No: Timing channels• Example: CPU utilization- To send a 0 bit, use 100% of CPU is busy-loop- To send a 1 bit, sleep and relinquish CPU- Repeat to transfer more bits• Example: Resource exhaustion- High prog. allocate all physical memory if bit is 1- Low program tries to allocate memory; if it fails, bit is 1• More examples: Disk head position, processorcache/TLB polution, . . .